if args.mode == "encrypt": logging.info( ">>>>>>>>>>> Start Encryption with locally generated key. <<<<<<<<<<<" ) ## Send pubsub messages using two different symmetric keys ## Note, i'm not using the expiringdict here...i'm just picking a DEK, sending N messages using it ## then picking another DEK and sending N messages with that one. ## The subscriber will use a cache of DEK values. If it detects a DEK in the metadata that doesn't ## match whats in its cache, it will use KMS to try to decode it and then keep it in its cache. for x in range(5): logging.info("Rotating symmetric key") # create a new TINK AES DEK and encrypt it with KMS. # (i.,e an encrypted tink keyset) cc = AESCipher(encoded_key=None) dek = cc.getKey() logging.info(cc.printKeyInfo()) logging.debug("Generated dek: " + dek) logging.info("Starting KMS encryption API call") encrypt_response = kms_client.encrypt( request={ 'name': name, 'plaintext': dek.encode('utf-8'), 'additional_authenticated_data': tenantID.encode('utf-8') }) dek_encrypted = base64.b64encode( encrypt_response.ciphertext).decode('utf-8') logging.info("Wrapped dek: " + dek_encrypted)
logging.debug("End PubSub Publish") logging.info(">>>>>>>>>>> END <<<<<<<<<<<") if args.mode =="encrypt": logging.info(">>>>>>>>>>> Start Encryption with locally generated key. <<<<<<<<<<<") ## Send pubsub messages using two different symmetric keys ## Note, i'm not using the expiringdict here...i'm just picking a DEK, sending N messages using it ## then picking another DEK and sending N messages with that one. ## The subscriber will use a cache of DEK values. If it detects a DEK in the metadata that doesn't ## match whats in its cache, it will use KMS to try to decode it and then keep it in its cache. for x in range(30): logging.info("Rotating symmetric key") ac = AESCipher(encoded_key=None) dek = ac.getKey().encode() logging.debug("Generated dek: " + base64.b64encode(dek).decode() ) logging.info("Starting KMS encryption API call") dek_encrypted = kms_client.encrypt(name=name, plaintext=dek,additional_authenticated_data=tenantID.encode('utf-8')) dek_key_wrapped = dek_encrypted.ciphertext logging.info("Wrapped dek: " + base64.b64encode(dek_key_wrapped).decode('utf-8')) logging.info("End KMS encryption API call") logging.debug("Starting AES encryption") cleartext_message = { "data" : "foo".encode(),